Tor malware is becoming a worryingly popular ransomware tool

SystemBC RAT is being used as an off-the-shelf Tor backdoor

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers atSophos Labshave been tracking a new ransomware tool available on underground hacking forums which has evolved into aTorproxy and remote control tool that is now being used in the wild.

The tool is called SystemBC and it serves as a backdoor that provides attackers with a persistent connection to their victims' systems.

First observed last year, it acts as both a network proxy for concealed communications and as a remote administration tool (RAT) capable of executing Windows commands as well as delivering and executing scripts, malicious executable and dynamic link libraries (DLL).

SystemBC has evolved over the past year from acting as virtual private network (VPN) through a SOCKS5 proxy to using the Tor network to encrypt and conceal the destination of command and control traffic.

SystemBC RAT

During the course of its recent investigations, Sophos MTR’s Rapid Response team has seen SystemBC used in recentRyukandEgregorransomware attacks, though it is often used alongside other post-exploitation tools such asCobalt Strike. However, in some cases, the SystemBC RAT was deployed to servers after attackers had gained access to administrative credentials and moved deeper into a targeted network.

When deployed, the tool will copy and schedule itself as a service but this step will be skipped if Emsisoftantivirus softwareis detected on a victim’s system. SystemBC then establishes a connection to a command and control server using a beacon connection to a remote server based at one of two hard-coded domains.

In a newblog post, senior threat researcher Sean Gallagher and threat researcher Sivagnanam Gn at Sophos provided further insight on how SystemBC now connects to the Tor network, saying:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The Tor communications element of SystemBC appears to be based on mini-tor, an open-source library for lightweight connectivity to the Tor anonymized network. The code of mini-Tor isn’t duplicated in SystemBC (since mini-Tor is written in C++ and SystemBC is compiled from C). But the bot’s implementation of the Tor client closely resembles the implementation used in the open-source program, including its extensive use of the Windows Crypto Next Gen (CNG) API’s Base Crypto (BCrypt) functions.”

As SystemBC is often deployed as an off-the-shelf tool, its is likely that ransomware attackers are acquiring it frommalware-as-a-serviceoperations in underground forums. The tool has become increasingly popular among cybercriminals due to the fact that it allows for multiple targets to be worked at the same time.

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well